search

handnot2 / samly

Elixir Plug library to enable SAML 2.0 SP SSO in Phoenix/Plug applications.
MIT License
126 stars 93 forks source link

Shibboleth demo sending empty assertion attributes #55

Closed hodak closed 4 years ago

hodak commented 4 years ago

Hi, I'm having a problem with Shibboleth configuration and am a bit lost where to look for the solution. I have just set up samly_howto with both samly_simplesaml and samly_shibboleth. While there's no problem with SimpleSAML, I receive an empty attributes map in assertion from Shibboleth. I went through the steps described in this post: https://handnot2.github.io/blog/auth/saml-auth-for-phoenix

# config/path_segment_ssp_samly_config.exs

use Mix.Config

config :samly, Samly.State,
  store: Samly.State.Session,
  opts: [key: "my_samly_state_session_key"]

config :samly, Samly.Provider,
  idp_id_from: :path_segment,
  service_providers: [
    %{
      id: "sp1",
      entity_id: "urn:samly.howto:samly_sp",
      certfile: "priv/cert/samly_sp.pem",
      keyfile: "priv/cert/samly_sp_key.pem",
      contact_name: "Samly Howto SP1 Admin",
      contact_email: "sp1-admin@samly.howto",
      org_name: "Samly Howto SP1",
      org_displayname: "Samly Howto SP1 Displayname",
      org_url: "https://samly.howto:4443"
    }
  ],
  identity_providers: [
    %{
      id: "idp",
      sp_id: "sp1",
      base_url: "https://samly.howto:4443/sso",
      metadata_file: "idp_metadata.xml",
      pre_session_create_pipeline: SamlyHowtoWeb.Plugs.SamlyPipeline,
      allow_idp_initiated_flow: true,
      use_redirect_for_req: false,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: true,
      nameid_format: :transient
    },
    %{
      id: "idp2",
      sp_id: "sp1",
      base_url: "https://samly.howto:4443/sso",
      metadata_file: "idp2_metadata.xml",
      pre_session_create_pipeline: SamlyHowtoWeb.Plugs.SamlyPipeline,
      allow_idp_initiated_flow: true,
      use_redirect_for_req: false,
      sign_requests: true,
      sign_metadata: true,
      signed_assertion_in_resp: true,
      signed_envelopes_in_resp: true,
      nameid_format: :transient
    }
  ]

idp is Shibboleth's configuration, idp2 is SimpleSAML's configuration.

Visiting https://samly.howto:4443/?idp=idp2, "Sign In" image image

Everything works well. After clearing cookies and visiting https://samly.howto:4443?idp=idp image image

I receive empty attributes map. I left IO.inspect here: https://github.com/handnot2/samly_howto/blob/master/lib/samly_howto_web/plugs/samly_pipeline.ex#L9 and that's the result: image

When starting the server I do receive the [warn] [Samly] SLO Endpoint missing in ["idp_metadata.xml"] error: image

Can this be the reason? I have not changed any configuration in samly_shibboleth.

I would greatly appreciate any help that would help me understand how to configure Shibboleth to work with Samly. It's a great library that we use to host IdPs from Azure, G Suite, Auth0, and Okta. That's the first IdP where we hit the wall.

Update Here's a log from Shibboleth's start to the point where I'm back in samly_howto.

Update2

hodak commented 4 years ago

Closing https://github.com/handnot2/samly_shibboleth/pull/1

jehanproc commented 4 years ago

Hello looking around for my issue between my Shibboleth IDP and a service Provider which couldn't consume attributes sent in the SAML SSO assertion, I guess your resolution solve the problem ? can you be more explicit on what was the issue ?

My recent test seem to worked fine in regards to the we browser result and my shiboleth IDP logs :

INFO [Shibboleth-Consent-Audit.SSO:241] - 20200710T094327Z|recruitee|AttributeReleaseConsent|procacci|eduPersonAffiliation,eduPersonPrincipalName,mail,uid||true,true,true,true

Thanks .

hodak commented 4 years ago

@jehanproc In the case of this issue and this resolution: https://github.com/handnot2/samly_shibboleth/pull/1/files for us the problem was in an incorrect SP Entity ID. We tried using SP that didn't have whitelisted attributes to share with this SP, so the SSO flow came back with empty attributes. With this change going through this tutorial should now work: https://handnot2.github.io/blog/auth/saml-auth-for-phoenix